Active Directory Rights Management Services (AD RMS) is a Microsoft Windows security tool that provides persistent data protection by enforcing data access policies. For documents to be protected with AD RMS, the application the document is associated with must be RMS-aware. Originally known as Windows RMS, the name was changed AD RMS in Windows Server 2008.
AD RMS has server and client components. The server component is made up of multiple web services that run on a Microsoft server. The client component, which can either be run on a client or server operating system, contains functions that enable an application to encrypt and decrypt content, acquire licenses and certificates from a server and perform many other security-related tasks.
Microsoft made significant changes to AD RMS in Windows Server 2012. These changes included an updated set of SQL Server requirements, Server Core support, a remote deployment option and an option to deploy with PowerShell commands.
A “data chaperone”
The idea behind RMS is that the protection you can give to any piece of information is persistent — it travels with the data and can’t be stripped from it arbitrarily. A specific example of this would be an email that could only be opened by the person it’s sent to, and it could not be printed, forwarded or copy/pasted. Another example might be a document that is set to expire; after a certain period of time has elapsed, the document self-destructs and cannot be reopened.
The rules are set and managed on a central server but are also designed to travel with the data in such a way that the rules will still work even when the server’s not accessible or where there is no network connectivity at all. This way, the data is “chaperoned” no matter where it goes.
Individuals or smaller organizations that want to protect data typically use encryption of some kind, but Rights Management Services has some advantages over using standalone encryption. For instance, if you use a public/private key pair encryption system to encrypt a file and send it to someone, the minute they decrypt the file they have unlimited use of it. By contrast, RMS lets you control what can be done with the file even after it has arrived: Each specific action that can be done with a file has its own rules.
RMS also hooks into the operating system on the client side to prevent the protected data from being hijacked out. An RMS-aware application, for instance, does not allow screenshots to be taken of any RMS-protected data.
AD RMS templates support the following rights:
- Full Control: Gives a user full control over an AD RMS – protected document.
- View: Gives a user the ability to view an AD RMS – protected document.
- Edit: Allows a user to modify an AD RMS – protected document.
- Save: Allows a user to use the Save function with an AD RMS – protected document.
- Export: (Save as). Allows a user to use the Save As function with an AD RMS – protected document.
- Print: Allows an AD RMS – the protected document to be printed.
- Forward: Used with Exchange Server. Allows the recipient of an AD RMS – protected message to forward that message.
- Reply: Used with Exchange Server. Allows the recipient of an AD RMS – protected message to reply to that message.
- Reply All: Used with Exchange Server. Allows the recipient of an AD RMS–protected message to use the Reply All function to reply to that message.
- Extract: Allows the user to copy data from the file. If this right is not granted, the user cannot copy data from the file.
- Allow Macros: Allows the user to utilize macros.
- View Rights: Allows the user to view assigned rights.
- Edit Rights: Allows the user to modify the assigned rights.
To deploy Rights Management Services in an organization, you’ll need the following pieces:
- The RMS Server itself (a 2 MB component). The server component is free to anyone running a licensed copy of Windows Server 2003.
- An installation of Windows Server 2003 or better.
- An Active Directory repository.
- An installation of IIS 6.0 or better.
- A database server such as SQL Server or Microsoft Data Engine. (You can use other databases, but they must be able to support Transact-SQL and Microsoft SQL Server-specific function calls.)
- RMS-enabled applications, such as the aforementioned Office 2003, for creating and viewing most protected data.
- Client access licenses for RMS. Every user who creates or views data protected in RMS will need a separate client access license. They average about $37 per user.
The most obvious and widely used RMS-enabled applications are programs in Microsoft Office 2003. You can also make Internet Explorer into an RMS client through an add-on, which allows people to view or print RMS-enabled documents (if they’re allowed to do so), but not edit them. You can protect plain HTML files with RMS using the RMS software development kit (SDK), and then view it in an RMS-enabled copy of IE.
If you have an existing internal application written in C++ that you want to make compatible with RMS, Microsoft provides a software development kit to do that.